Navigate

CCI-000125

CCI-000125 Definition

Provide a rationale for why the event types selected for logging are deemed to be adequate for support after-the-fact investigations of incidents.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.

Validation Procedures

Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; system security plan; privacy plan; system design documentation; system configuration settings and associated documentation; system audit records; system auditable events; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. Test: [SELECT FROM: Mechanisms implementing system auditing].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000125.

Control	Description
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].

Control

Description

AU-2

a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;];

b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;

c: Specify the following event types for logging within the system: [one of ];

d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and

e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].